Improperly implemented VMware View certificates spell a lot of wasted time for IT administrators and end users, but the issue is easily avoidable.
Every time an end user is presented with a choice -- such as whether to proceed to a page with a bad security certificate -- it creates an atmosphere of confusion, which spawns unnecessary help desk tickets and diminishes trust in IT, said Brad Maher, VCP and VCAP, senior solution architect at Focus Technology Solutions, during his 2013 Virtual Technology Users Group (VTUG) presentation in Foxborough, Mass.
More VMware View infrastructure advice
Learn how one admin deployed and manages View
Download a free book chapter on View 5 features
When implementing certificates in a user-friendly way, VMware View administrators should focus on load balancing, "friendly" URLs, zero clients and special use cases such as kiosk mode, Maher said.
Avoidable certificate pitfalls
VMware View 5 certificate management became Windows-based last year, instead of the previous Java-based key store method. View administrators manage root, intermediate and website certificates.
Map these certificates to every URL that your View-based virtual desktop infrastructure uses. View 5 clients will check that the certificate matches the expected connection name and that it is trusted. (This process varies by browser.) Otherwise, VDI users will see various error messages about an incorrectly formatted View certificate for a URL and reach out to IT for help.
Tips for VMware View success
Maher's tips went beyond the basics of VMware View certificates to address other common pain points in the View certificate implementation process and offer some guidance.
Load balancing. Maher touched on load balancing for View virtual desktops at his VTUG session, explaining that domain name system (DNS) round-robin load balancing does not give the administrator any intelligence.
"It's the least desirable choice," Maher said.
A load-balancing appliance option such as Windows Network Load Balancing, however, is "difficult to implement in a VMware infrastructure." Check out virtual apps for hardware load balancing, Maher said; you have a lot of management options.
Zero clients. On the hardware side of VDI, thin and fat clients can compound VDI management complexity.
"Whenever possible, deploy zero clients with virtual appliance management consoles," Maher suggested. Zero clients eliminate endpoint management overhead, because they move the desktop's OS and associated software to the server.
"If your VDI deployment must use thin clients, make all the thin clients at the same software level," he added.
Special broker scenarios. Another potential pitfall in VDI comes from special broker scenarios. Brokers are how you manage connections between the end user and the virtual desktop. Special scenarios go beyond the standard user-to-virtual-desktop connection.
For example, kiosk-mode VDI circumvents the user name-password combo and instead enables the virtual desktop from a MAC address. Another option is two-factor authentication, where you'll pair VMware View with a security server.
For VDI environments that internal and external users access, administrators might want to implement normal brokers for internal users and two-factor setups for guests. These various scenarios affect your URLs, so take into account the user landscape when implementing View.
Supporting tools. Try these additional resources for VMware View certificate management:
- Teradici: Maher recommends setting up a Teradici tech support account -- it's free -- and getting accustomed to the certificate connections available in the Teradici PC over IP (PCoIP) protocol.
- Certificate format conversion: Several tools can manipulate the certificate format; it's often necessary to convert VMware View certificates from PFX to PEM format. Try VMware Workstation or Linux Cygwin for the task.
- VMware flings: Use PCoIP Log Viewer (created by a VMware employee but not produced or sold by VMware) to test out VDI configuration settings. You can fast-forward, rewind and save the log. Once you've tweaked the configuration to your liking, deploy it with a group policy.